Yahoo Loses 500 Million, MILLION User Account Details!

Bob Lord, CISO over at Yahoo has confirmed the company was hacked and the perpetrators got away with account information for half a billion users. From what is likely to be one of the largest hacks of all time Bob’s statement casually drops in the following “investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network” That’s right according to Bob, they were attacked by a NATION STATE!

No if’s no but’s, the state-sponsored actor is no longer in their network. It is unusual for an attack victim to lay the blame of an attack squarely at the feet of a nation state, especially such a large high profile hack. For Yahoo to come out and and confirm without hesitation that they believe it was a nation state attack is a big deal and implies they have some pretty solid evidence.

While banking details were not included in the leaked data, email addresses, date of births, password hashes, phone numbers and in some cases security questions and answers were included. We know this because the data was for sale on the dark web two months ago for three bitcoins, at the time worth around $1800 USD. The passwords were hashed with MD5, which would be trivial exercise for a noob hacker to crack, let alone a nation state to crack. Which brings us to the next question, if this is a nation state attack as suggested by Yahoo what was the motivation for selling the leak data on the dark web?

Is the nation state running short of a few coins to stay in business, was it an independent contractor that thought he would sell the data after previously providing it to the nation state or did the nation state want the hack and evidence of it to make its way to the public knowledge? The leaked data was released within days of Verizon announcing that they were interested in acquiring the struggling portal.

The data was old, the attack occurred late 2014, according to Yahoo, which means the “nation state” had 18 months with free access to the data before it was released to the internet public. That’s 18 months of knowing 500 million email addresses and passwords for specific users, which of course gives you access to all the accounts that email was associated with. All you would need to do is attempt to login to a third party site with the known email and password, if that doesn’t work you can get the site to send a “forgotten password reset” request to your registered Yahoo email address. The “nation state” could then login to that Yahoo account and intercept the password reset request.

Bob Lord can’t be feeling to secure in his current CISO role, the company was hacked in 2014, this was not detected by Yahoo, in fact if the hacker had not decided to sell the leaked data presumably Yahoo would be none the wiser even today. But more damning is the fact that it was yet another two months after the data was available online before they confirmed the breach. They could have spent 3 bitcoins brought the data and confirmed within hours that they were breached, the hackers even provide a sample set before you have to hand over bitcoins, two months is unacceptable.

The entrepreneurial hacker goes by the name of peace_of_mind, he prefers to be called Peace, but that name was already claimed on the platform, who specialises in selling cracked database data on the dark web marketplace TheRealDeal. He claims to be Russian, belonging to a hacker collective and is currently selling leaked data from Twitter, LinkedIn and MYSpace. He also claims that all the leaked data was obtained by him and/or the hacker collective that he belongs to, not a nation state.

It is hard to verify claims of anonymous users on the web, but to be clear, this guy has the data for sale, along with a bunch of other hacked data from large corporations across the globe and he is claiming and acting like he is just part of a hacking collective, not a nation state. We will never know for sure, but for Yahoo to turn around and claim they were attacked by a nation state is an intriguing statement. I mean a nation state is hardly going to leave “Russia was here” or “China was here” graffiti all across your network, attribution of any hacking attack, but the nature of the attack is difficult, so to claim with certainty that you were attacked by a nation state seems a little optimistic.

Of course if it were a “nation state” what more could the Yahoo security team do, they were attacked by a well funded nation state that, presumably, specialises in breaking in to highly security networks across the globe, the Yahoo security team had no chance. Of course if it were a bunch of self taught guys working out of their bedrooms then the Yahoo security team is incompetent and not fit for purpose.